TCP header options
Use TCP header options to check the properties of the TCP header.
src_port
Check the source port number or range.
Syntax:
--src_port [!]<number>;
The placement of : indicates less than or equal to:
--src_port [!]:<number>;
The placement of : indicates greater than or equal to:
--src_port [!]<number>:;
The placement of : indicates a range, exclusive of endpoints:
--src_port [!]<number>:<number>;
The optional prefix ! means exclude.
Example:
Greater than or equal to 1000
--src_port 1000:;
dst_port
Check the destination port number or range.
Syntax:
--dst_port [!]<number>;
Equal to:
--dst_port [!]:<number>;
Greater than or equal to:
--dst_port [!]<number>:;
Range, exclusive of endpoints:
--dst_port [!]<number>:<number>; placement of : indicates a range, exclusive of endpoints
The optional prefix ! means exclude.
Example:
Greater than or equal to 100 and less than or equal to 200:
--dst_port 100:200;
seq
Check the TCP sequence number value or range.
Syntax:
--seq <number>[,relative];
Equal to:
--seq =,<number>[,relative];
Greater than:
--seq >,<number>[,relative]:;
Less than:
--seq <,<number>[,relative];
Not equal to :
--seq !,<number>[,relative];
The optional field relative indicates the value is relative to the initial sequence number of the TCP session. No prefix defaults to "equal to."
Examples:
--seq <,12345;
--seq !,12345;
ack
Check the TCP acknowledge number for a specific value.
Syntax:
--ack <number>;
Equal to:
--ack =,<number>[,relative];
Greater than:
--ack >,<number>[,relative]:;
Less than:
--ack <,<number>[,relative];
Not equal to :
--ack !,<number>[,relative];
Examples:
--ack <,12345;
--ack !,12345;
tcp_flags
Specify the TCP flags to match in a TCP packet.
Syntax:
--tcp_flags <!*+FSRPAU120>[,<FSRPAU120>];
|
Flag |
Description |
Note |
|---|---|---|
|
|
SYN |
upper case required |
|
|
ACK |
upper case required |
|
|
FIN |
upper case required |
|
|
RST |
upper case required |
|
|
URG |
upper case required |
|
|
PSH |
upper case required |
|
|
reserved bit 1 |
|
|
|
reserved bit 2 |
|
|
|
No TCP flags set |
No TCP flags set |
The first part defines the bits to match:
- The flags
S,A,F,R,U, andPmust be in upper case. - If the first digit is
0, it will stop and ignore all of the following flags. -
*matches any one of the specified bits. -
+matches all of the specified bits, plus any others. -
!matches if none of the specified bits is set. - Default matches the specified bits exactly.
The second part is optional. It identifies the bits that should be masked off before matching.
Examples:
--tcp_flags 0,12;
--tcp_flags !SAFRUP,12;
--tcp_flags S,12;
--tcp_flags S+;
--tcp_flags *SAFRUP12;
window_size
Check for the specified TCP window size.
Syntax:
--window_size [!]<number>;
--window_size [!] 0x<number>;
--window_size [>]<number>;
--window_size [<]<number>;
Examples:
--window_size 1000;
--window_size !0x1000;
tcp.src_port, tcp.dst_port, tcp.seq, tcp.ack, tcp.flags, tcp.window_size, tcp.checksum, tcp.urgent, tcp.any_option, tcp.payload_length
Check for these fields in the TCP header.
Syntax:
--tcp.[decorations] <operator><value>;
Valid operators: =, !, >=, <=, &, |, ^, and in.
Examples:
--tcp.src_port in [1111,2222];
--tcp.flags & 0x0f = 0x6;
Iterate over all options:
--tcp.any_option = 0x6052, dword;
tcp [offset]
Access any fields in TCP header in freelance mode.
Syntax:
--tcp[offset] <operator><value> [, word size] [, endianness];
Both word size and endianness are optional. By default, the engine uses BYTE and big endian.
Valid operators: =, !=, >=, <=, &, |, ^, and in.
Example:
--tcp[20] &0xF0 = 0x30;